Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lots of nginx errors in logs after upgrade

    Problems Installing or Upgrading pfSense Software
    11
    41
    79.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      electriAQ
      last edited by

      All seems to be running well however in the System / General log I get a number of errors everyday

      May 1 17:07:29 pfsense.magic nginx: 2016/05/01 17:07:29 [error] 37886#0: *3305 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:29 pfsense.magic nginx: 2016/05/01 17:07:29 [error] 37886#0: *3304 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37886#0: *3303 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37603#0: *3302 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37603#0: *3301 open() "/usr/local/www/wingame.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /wingame.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37603#0: *3300 open() "/usr/local/www/webscr" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /webscr HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37603#0: *3299 open() "/usr/local/www/webproc" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /webproc HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37886#0: *3298 open() "/usr/local/www/verify.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /verify.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:28 pfsense.magic nginx: 2016/05/01 17:07:28 [error] 37886#0: *3297 open() "/usr/local/www/traffic/process.fcgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /traffic/process.fcgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37886#0: *3296 open() "/usr/local/www/top/out" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /top/out HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37886#0: *3295 open() "/usr/local/www/tjcgi1" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /tjcgi1 HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37603#0: *3294 open() "/usr/local/www/te/o.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /te/o.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37603#0: *3293 open() "/usr/local/www/start" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /start HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37603#0: *3292 open() "/usr/local/www/sse.dll" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /sse.dll HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37603#0: *3291 open() "/usr/local/www/spcnweb" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /spcnweb HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:27 pfsense.magic nginx: 2016/05/01 17:07:27 [error] 37886#0: *3290 open() "/usr/local/www/search.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /search.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37886#0: *3289 open() "/usr/local/www/rshop.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /rshop.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37886#0: *3288 open() "/usr/local/www/readmsg" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /readmsg HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37886#0: *3287 open() "/usr/local/www/rbaccess/rbunxcgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /rbaccess/rbunxcgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37603#0: *3286 open() "/usr/local/www/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /rbaccess/rbcgi3m01 HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37603#0: *3285 open() "/usr/local/www/passremind" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /passremind HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37603#0: *3284 open() "/usr/local/www/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:26 pfsense.magic nginx: 2016/05/01 17:07:26 [error] 37603#0: *3283 open() "/usr/local/www/openwebmail/openwebmail-main.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /openwebmail/openwebmail-main.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37886#0: *3282 open() "/usr/local/www/navega" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /navega HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37886#0: *3281 open() "/usr/local/www/msglist" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /msglist HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37886#0: *3280 open() "/usr/local/www/mainsrch" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /mainsrch HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37886#0: *3279 open() "/usr/local/www/mainmenu.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /mainmenu.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37603#0: *3278 open() "/usr/local/www/logout" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /logout HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37603#0: *3277 open() "/usr/local/www/logout" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /logout HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:25 pfsense.magic nginx: 2016/05/01 17:07:25 [error] 37603#0: *3276 open() "/usr/local/www/login" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /login HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37603#0: *3275 open() "/usr/local/www/login.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /login.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37886#0: *3274 open() "/usr/local/www/link" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /link HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37886#0: *3273 open() "/usr/local/www/krcgistart" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /krcgistart HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37886#0: *3272 open() "/usr/local/www/krcgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /krcgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37886#0: *3271 open() "/usr/local/www/index" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /index HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37603#0: *3270 open() "/usr/local/www/index.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /index.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:24 pfsense.magic nginx: 2016/05/01 17:07:24 [error] 37603#0: *3269 open() "/usr/local/www/ib/301_start.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /ib/301_start.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37603#0: *3268 open() "/usr/local/www/hslogin.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /hslogin.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37603#0: *3267 open() "/usr/local/www/hotspotlogin.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /hotspotlogin.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37886#0: *3266 open() "/usr/local/www/getattach" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /getattach HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37886#0: *3265 open() "/usr/local/www/frame_html" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /frame_html HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37886#0: *3264 open() "/usr/local/www/findweather/hdfForecast" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /findweather/hdfForecast HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37886#0: *3263 open() "/usr/local/www/findweather/getForecast" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /findweather/getForecast HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:23 pfsense.magic nginx: 2016/05/01 17:07:23 [error] 37603#0: *3262 open() "/usr/local/www/fg.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /fg.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37603#0: *3261 open() "/usr/local/www/crtr/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /crtr/out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37603#0: *3260 open() "/usr/local/www/clicks.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /clicks.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37603#0: *3259 open() "/usr/local/www/click.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /click.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37886#0: *3258 open() "/usr/local/www/br5.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /br5.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37886#0: *3257 open() "/usr/local/www/bp_revision.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /bp_revision.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37886#0: *3256 open() "/usr/local/www/bbs/postshow.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /bbs/postshow.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:22 pfsense.magic nginx: 2016/05/01 17:07:22 [error] 37886#0: *3255 open() "/usr/local/www/bbs/postlist.pl" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /bbs/postlist.pl HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37603#0: *3254 open() "/usr/local/www/auth" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /auth HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37603#0: *3253 open() "/usr/local/www/atx/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /atx/out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37603#0: *3252 open() "/usr/local/www/atc/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /atc/out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37603#0: *3251 open() "/usr/local/www/at3/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /at3/out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37886#0: *3250 open() "/usr/local/www/arr/index.shtml" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /arr/index.shtml HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37886#0: *3249 open() "/usr/local/www/ajaxmail" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /ajaxmail HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:21 pfsense.magic nginx: 2016/05/01 17:07:21 [error] 37886#0: *3248 open() "/usr/local/www/a2/out.cgi" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /a2/out.cgi HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:20 pfsense.magic nginx: 2016/05/01 17:07:20 [error] 37886#0: 3247 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:20 pfsense.magic nginx: 2016/05/01 17:07:20 [error] 37603#0: *3246 open() "/usr/local/www/rom-0" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /rom-0 HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:14 pfsense.magic nginx: 2016/05/01 17:07:14 [error] 37886#0: *3184 "/usr/local/www/HNAP1/index.html" is not found (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /HNAP1/ HTTP/1.1", host: "10.0.0.1:8443"
      May 1 17:07:13 pfsense.magic nginx: 2016/05/01 17:07:13 [error] 37886#0: *3183 "/usr/local/www/HNAP1/index.html" is not found (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /HNAP1/ HTTP/1.1", host: "10.0.0.1:8443"

      What are these and how do I fix them? Or am I better off doing a fresh install?

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        You really want to check what is at 10.0.0.248 and if everything is all right with it. That looks very much like a hijacked machine probing for vulnerable web services.

        1 Reply Last reply Reply Quote 0
        • E
          electriAQ
          last edited by

          Its the PC i am using to access the pfsense box.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Well, something on your PC is probing the pfSense system for pages and cgi scripts that have nothing to with pfSense.

            
May 1 17:07:23   pfsense.magic      nginx: 2016/05/01 17:07:23 [error] 37886#0: *3264 open() "/usr/local/www/findweather/hdfForecast" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /findweather/hdfForecast HTTP/1.1", host: "10.0.0.1:8443"
May 1 17:07:23   pfsense.magic      nginx: 2016/05/01 17:07:23 [error] 37886#0: *3263 open() "/usr/local/www/findweather/getForecast" failed (2: No such file or directory), client: 10.0.0.248, server: , request: "GET /findweather/getForecast HTTP/1.1", host: "10.0.0.1:8443"
            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Is there a proxy involved? A misconfiguration of proxy and/or wrong NAT rules on the LAN interface could explain why those pages get asked from pfSense's internal web server.

              1 Reply Last reply Reply Quote 0
              • E
                electriAQ
                last edited by

                No there is not a proxy involved. I did have snort installed at one point but it was removed before the update

                What would be an incorrect NAT rule?

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  Since you're not running a proxy on your pfSense there should be no NAT rules for LAN interface unless they are for another purpose.

                  1 Reply Last reply Reply Quote 0
                  • E
                    electriAQ
                    last edited by

                    Okay thanks.

                    Are all the entries unrelated to pfsense or just the two you highlighted?

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      Lot of it looks completely unrelated to pfSense such as "ajaxmail", "openwebmail" and "wingame.pl", probably almost all of it but I didn't cross-check with what's actually on my 2.3 install at /usr/local/www.

                      1 Reply Last reply Reply Quote 0
                      • E
                        electriAQ
                        last edited by

                        Could it be that I haven't flushed the cache since the upgrade to 2.3?

                        Also, is this normal pfsense behaviour as I don't remember seeing this prior to 2.3

                        May 2 13:40:29 xinetd 9279 Reconfigured: new=0 old=12 dropped=0 (services)
                        May 2 13:40:29 xinetd 9279 readjusting service 19009-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 19008-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 19007-udp
                        May 2 13:40:29 xinetd 9279 readjusting service 19007-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 19006-udp
                        May 2 13:40:29 xinetd 9279 readjusting service 19005-udp
                        May 2 13:40:29 xinetd 9279 readjusting service 19004-udp
                        May 2 13:40:29 xinetd 9279 readjusting service 19003-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 19002-udp
                        May 2 13:40:29 xinetd 9279 readjusting service 19001-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 19000-tcp
                        May 2 13:40:29 xinetd 9279 readjusting service 6969-udp
                        May 2 13:40:29 xinetd 9279 Swapping defaults
                        May 2 13:40:29 xinetd 9279 Starting reconfiguration
                        May 2 13:26:43 xinetd 9279 unknown child process 90330 died
                        May 2 13:26:43 xinetd 9279 unknown child process 55482 died
                        May 2 13:26:43 xinetd 9279 unknown child process 55501 died
                        May 2 13:26:43 xinetd 9279 unknown child process 55707 died
                        May 2 13:26:43 xinetd 9279 unknown child process 55790 died
                        May 2 13:26:43 xinetd 9279 unknown child process 55982 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56067 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56304 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56464 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56582 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56778 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56842 died
                        May 2 13:26:43 xinetd 9279 unknown child process 56898 died
                        May 2 13:26:43 xinetd 9279 unknown child process 57054 died
                        May 2 13:26:43 xinetd 9279 Reconfigured: new=0 old=12 dropped=6 (services)
                        May 2 13:26:43 xinetd 9279 19012-tcp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19012-tcp deactivated
                        May 2 13:26:43 xinetd 9279 19011-tcp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19011-tcp deactivated
                        May 2 13:26:43 xinetd 9279 19010-udp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19010-udp deactivated
                        May 2 13:26:43 xinetd 9279 19010-tcp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19010-tcp deactivated
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 57054
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56898
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56842
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56778
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56582
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56464
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56304
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 56067
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 55982
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 55790
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 55707
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 55501
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 55482
                        May 2 13:26:43 xinetd 9279 Sending signal 9 to 19010-tcp server 90330
                        May 2 13:26:43 xinetd 9279 19009-udp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19009-udp deactivated
                        May 2 13:26:43 xinetd 9279 readjusting service 19009-tcp
                        May 2 13:26:43 xinetd 9279 19008-udp: svc_release with 0 count
                        May 2 13:26:43 xinetd 9279 service 19008-udp deactivated
                        May 2 13:26:43 xinetd 9279 readjusting service 19008-tcp
                        May 2 13:26:43 xinetd 9279 readjusting service 19007-udp
                        May 2 13:26:43 xinetd 9279 readjusting service 19007-tcp
                        May 2 13:26:43 xinetd 9279 readjusting service 19006-udp
                        May 2 13:26:43 xinetd 9279 readjusting service 19005-udp
                        May 2 13:26:43 xinetd 9279 readjusting service 19004-udp
                        May 2 13:26:43 xinetd 9279 readjusting service 19003-tcp
                        May 2 13:26:43 xinetd 9279 readjusting service 19002-udp
                        May 2 13:26:43 xinetd 9279 readjusting service 19001-tcp
                        May 2 13:26:43 xinetd 9279 readjusting service 19000-tcp
                        May 2 13:26:43 xinetd 9279 readjusting service 6969-udp
                        May 2 13:26:43 xinetd 9279 Swapping defaults
                        May 2 13:26:43 xinetd 9279 Starting reconfiguration
                        May 2 13:26:41 check_reload_status Reloading filter
                        May 2 13:26:32 check_reload_status Syncing firewall

                        May 2 13:40:33 check_reload_status Reloading filter
                        May 2 13:40:30 php-fpm 70034 [pfBlockerNG] Starting cron process.
                        May 2 13:40:29 kernel em0: promiscuous mode enabled
                        May 2 13:40:29 kernel em0: promiscuous mode disabled
                        May 2 13:40:29 php-fpm 70034 /rc.start_packages: Restarting/Starting all packages.

                        1 Reply Last reply Reply Quote 0
                        • mudmanc4M
                          mudmanc4
                          last edited by

                          First glance it appears there is a local script scanning for vulnerabilities. Do you have web panel running somewhere in the internal network?

                          1 Reply Last reply Reply Quote 0
                          • T
                            TheNarc
                            last edited by

                            So I have exactly the same issue with the exact same requests, but all from a link local IPv6 client IP:

                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7232 open() "/usr/local/www/cgi-bin/click.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/click.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7233 open() "/usr/local/www/cgi-bin/clicks.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/clicks.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7234 open() "/usr/local/www/cgi-bin/crtr/out.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/crtr/out.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7235 open() "/usr/local/www/cgi-bin/fg.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/fg.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7236 open() "/usr/local/www/cgi-bin/findweather/getForecast" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/findweather/getForecast HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7237 open() "/usr/local/www/cgi-bin/findweather/hdfForecast" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/findweather/hdfForecast HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7238 open() "/usr/local/www/cgi-bin/frame_html" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/frame_html HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7239 open() "/usr/local/www/cgi-bin/getattach" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/getattach HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7240 open() "/usr/local/www/cgi-bin/hotspotlogin.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/hotspotlogin.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7241 open() "/usr/local/www/cgi-bin/hslogin.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/hslogin.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7242 open() "/usr/local/www/cgi-bin/ib/301_start.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/ib/301_start.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7243 open() "/usr/local/www/cgi-bin/index.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/index.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7244 open() "/usr/local/www/cgi-bin/index" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/index HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7245 open() "/usr/local/www/cgi-bin/krcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/krcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7246 open() "/usr/local/www/cgi-bin/krcgistart" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/krcgistart HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7247 open() "/usr/local/www/cgi-bin/link" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/link HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7248 open() "/usr/local/www/cgi-bin/login.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/login.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7249 open() "/usr/local/www/cgi-bin/login" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/login HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7250 open() "/usr/local/www/cgi-bin/logout" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/logout HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7251 open() "/usr/local/www/cgi-bin/logout" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/logout HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7252 open() "/usr/local/www/cgi-bin/mainmenu.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/mainmenu.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7253 open() "/usr/local/www/cgi-bin/mainsrch" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/mainsrch HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7254 open() "/usr/local/www/cgi-bin/msglist" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/msglist HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7255 open() "/usr/local/www/cgi-bin/navega" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/navega HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7256 open() "/usr/local/www/cgi-bin/openwebmail/openwebmail-main.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7257 open() "/usr/local/www/cgi-bin/out.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/out.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7258 open() "/usr/local/www/cgi-bin/passremind" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/passremind HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7259 open() "/usr/local/www/cgi-bin/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7260 open() "/usr/local/www/cgi-bin/rbaccess/rbunxcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7261 open() "/usr/local/www/cgi-bin/readmsg" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/readmsg HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7262 open() "/usr/local/www/cgi-bin/rshop.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rshop.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7263 open() "/usr/local/www/cgi-bin/search.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/search.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7264 open() "/usr/local/www/cgi-bin/spcnweb" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/spcnweb HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7265 open() "/usr/local/www/cgi-bin/sse.dll" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/sse.dll HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7266 open() "/usr/local/www/cgi-bin/start" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/start HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7267 open() "/usr/local/www/cgi-bin/te/o.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/te/o.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7268 open() "/usr/local/www/cgi-bin/tjcgi1" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/tjcgi1 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7269 open() "/usr/local/www/cgi-bin/top/out" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/top/out HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7270 open() "/usr/local/www/cgi-bin/traffic/process.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/traffic/process.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7271 open() "/usr/local/www/cgi-bin/verify.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/verify.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7272 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webproc HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7273 open() "/usr/local/www/cgi-bin/webscr" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webscr HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7274 open() "/usr/local/www/cgi-bin/wingame.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/wingame.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7275 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7276 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7277 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7278 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: 7281 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
                            May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7282 open() "/usr/local/www/rom-0" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /rom-0 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"

                            I also have similar xinetd entries.

                            I also don't know what's causing this, and I did seem to start noticing it around when I upgraded to 2.3.  Searching for some of the more distinctive entries (e.g. "cgi-bin/ib/301_start.pl") has yielded more than a few hits referring to potential malware.  I haven't been able to locate any on my network so far, but it's a small home network so I'll scan all the Windows hosts on it.

                            To mudman4c's point, I'm certainly not aware of any local scripts scanning for vulnerabilities, but I can't categorically rule that out yet either.  If I figure anything out I'll provide updates.  Whatever it is, we seem to have exactly the same issue .

                            1 Reply Last reply Reply Quote 0
                            • mudmanc4M
                              mudmanc4
                              last edited by

                              Curious what browser the two of you which are showing these logs are using. And they are windows machines yes?

                              1 Reply Last reply Reply Quote 0
                              • T
                                TheNarc
                                last edited by

                                In my case yes, these anomalous log entries correspond to LAN IPs belonging to two different Windows machines on the network.  I'll need to check with the individual users, but I'm fairly certain they both use Firefox almost exclusively.  The most interesting external resource I've located that references all of these URLs is this:  http://www.network-builders.com/anyone-recognise-malware-causing-please-t111617.html  Unfortunately, it's not conclusive as to a cause or if it's really malware or something benign.  Nevertheless, I have gotten in touch with the user of one of the two implicated machines on my network and he is currently running a full virus scan and Malwarebytes scan.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cshy0024
                                  last edited by

                                  after upgrading to pfsense 2.3, i also got same http errors in my log. By searching Google it looks like Avast antivirus is the cause of this kind of scanning.

                                  http://nazarenolatella.myblog.it/2015/12/27/avast-free-lo-scan-che-ti-aspetti/  , an Italian page

                                  i also checked /var/log/nginx.log ans see some strings related to Avast.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    TheNarc
                                    last edited by

                                    Thanks for that information cshy, it's much appreciated.  I will get in contact with the users of the two offending machines on my network to see whether I can confirm that they are both running Avast.  If my memory serves, it seems quite likely.  I'll provide an update either way when I find out.

                                    1 Reply Last reply Reply Quote 0
                                    • mudmanc4M
                                      mudmanc4
                                      last edited by

                                      Why would Avast be scanning within specific port ranges for specific pages? This makes no sense to me.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        TheNarc
                                        last edited by

                                        I agree, it definitely makes no sense to me either.  But it does seem to be Avast that's behind it.  I've confirmed with 1 of my 2 users that they run Avast.  And here's another thread that seems to implicate it, although again it's frustratingly inconclusive:  https://www.reddit.com/r/techsupport/comments/40v5go/weird_traces_in_firewall_coming_from_my_machine/  Could it be trying to scan the LAN for known web server vulnerabilities?  That would seem outside the purview of free consumer grade AV software.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          ms
                                          last edited by

                                          I got the exact same errors, also being generated by workstations running Avast. From their sales blurb: "Home Network Security: Is your router set up properly? We’ll tell you. Otherwise, anyone can break into your network and anything connected to it (like your computer, phone, or printer)." FYI, ESET Internet Security 10 also scans your router. I ran it for giggles and it told me my router was probably compromised as it had ports like 443 open lol.

                                          1 Reply Last reply Reply Quote 0
                                          • mudmanc4M
                                            mudmanc4
                                            last edited by

                                            If Avast is searching port 8443 for multiples of pages at random, which is most recently well known for plesk panel, which can assist with the hosting of multiples of VM / CT's,  I'll eat a live crocodile. Now this may somehow be, so I'll make sure I have my spork ready. But I doubt I'll need it.

                                            This is a clear sign there is 'something' even a local webserver (even if one was never intentionally installed locally) which has found it's way into 'something' on the local network or machine, and is looking for something to exploit, buy the known exploitable pages, which have already or should be already downloaded by a script, in many cases.

                                            These very much the same logs can be found in almost any apache server logs, showing a remote attacker attempting to find something.

                                            The firewall, pfSense, is now showing you the attempts.

                                            Again, I'll keep the spork ready to run if I'm proven wrong.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.